WannaCry shows we need to understand why organizations don't patch

Posted by   Martijn Grooten on   May 17, 2017

For the past few days, the world of Infosec on Twitter has tried to find as many ways as possible of saying "we told you so".

To be fair, it's true – we did tell you so: for years we have warned of the dangers of not patching, of not keeping backups, and of running services one doesn't really need. Infosec does indeed have a pretty good track record of predicting the most serious cyber attacks. Unfortunately, it achieves this by constantly predicting doom, so that eventually it ends up being right.

Remember, for example, the 2015 vulnerability found in the Stagefright Android library? "In the worst case scenario, the exploit could be turned into a worm of a size not seen for a very long time," I wrote in a blog post, echoing what everyone else was saying around that time. Yet, despite the still deplorable state of Android patching, we have yet to see such a worm. In fact, I am not aware of any use of the Stagefright vulnerability in the wild. Stagefright isn't an exception: most vulnerabilities, even many of those that sound really bad, are rarely, if ever, exploited in the wild.


So maybe the question we should be asking about WannaCry is not "why do so many organisations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?".

Indeed, not patching may well be the most effective short-term strategy. With a few exceptions, such as browser plug-ins and open-source CMSs, exploitation of vulnerabilities right after they have been patched is rare. It may actually be more common to encounter problems arising from patches that go wrong.

Of course, patching is the sensible long-term approach, even if one can spend years running out-of-date systems before something as bad as WannaCry hits. A dedicated security team can help make patching a mostly painless procedure. Such teams aren't cheap though, and this, together with the price of some more advanced security products, may be the real issue: many organizations simply don't have the money we believe they should be spending on security. Repeatedly labouring the point that they should spend the money anyway may not always be the most effective approach.

When I was putting together the programme for VB2017, I wanted to include a number of talks by people who could provide a view from organizations that don't have lots of cash to throw at the security problem; I am pleased that the programme, which went live earlier this month, does indeed include several such talks.


Most relevant to WannaCry is the talk by Jelena Milosevic, who works as a hospital nurse and has a passion for security; she is thus very well qualified to provide a behind-the-scenes view of healthcare security. But I am just as much looking forward to hearing Claus Cramon Houmann, who will talk about his time as a CISO for a small bank, and will share how to achieve 'minimum viable security' on a small budget.

Claus-Houmann-web.jpgClaus Cramon Houmann will talk about his time as a CISO for a small bank.

I am also looking forward to the presentation by Tyrus Kamau (Euclid Consultancy), who will talk about the state of cybersecurity in Kenya. It will be interesting to see how different, or maybe how similar, the threat landscape is in a country that has less money to spend in general, and thus less on security in particular. Maybe tighter budgets have made people more inventive and not necessarily less secure.

Another group that doesn't have a lot of money is 'civil society': NGOs, human rights activists, journalists, and so on. Many of them are volunteers or work for little money; they certainly don't have the funds to get a well-paid CISO or to spend on fancy and probably very effective security tools. Claudio Guarnieri, currently working for Amnesty International, but also one of the people behind the open-source Cuckoo Sandbox, will talk about the threats these people and organizations are facing.

If you're reading this, you probably work in security. It is your job to tell others how to make their systems more secure – and please continue to do so! But don't forget also to listen to those fighting security in the real world, and to make an effort to understand the constraints they operate under.

VB2017 will take 4-6 October in Madrid, Spain. Registration is now open - register before 30 June 2017 to qualify for the early bird rate!




Latest posts:

Necurs pump-and-dump spam campaign pushes obscure cryptocurrency

A Necurs pump-and-dump spam campaign pushing the lesser known Swisscoin botnet is mostly background noise for the Internet.

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.

The threat and security product landscape in 2017

At the start of the new year, Virus Bulletin looks back at the threats seen in the 2017 and at the security products that are available to help mitigate them.

Spamhaus report shows many botnet controllers look a lot like legitimate servers

Spamhaus's annual report on botnet activity shows that botherders tend to use popular, legitimate hosting providers, domain registrars and top-level domains when setting up command-and-control servers.

Tips on researching tech support scams

As tech support scammers continue to target the computer illiterate through cold calling, VB's Martijn Grooten uses his own experience to share some advice on how to investigate such scams.